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NETWORK APPLICATION ASSOCIATION 
BACKGROUND OF THE INVENTION 

The present invention relates generally to computer network connections in a large scale network 
environment, and more particularly, to a system and method for providing addresses and ports for specific 
5 nodes in the conaputer network using a dynamic port management module. 

There are many types of con[q)uter networks, including local area networks, wide area networks, and the 
Internet. Companies and organizations often use local or wide area networks as their private networks to 
link individual nodes (e.g., computers) for email communications, remote access, telephone calls, and 
internal data sharing. Depending on the sizes of the companies, these private networks can be very large. 

10 In order to maintain the integrity of the private networks, the computers therein are connected through a 
gateway to an outside network, such as the Internet, for additional communication purposes. 

Often, each node of the private network will have a unique network address for the private 
network. The address, however, may not be of the type or format that is commonly used for the outside 
network (e.g., Internet Protocol (IP) address for the Internet), and therefore may not be used for 

15 communications with computers outside of the private network. La this situation, the gateway will have 
to assign a registered network address to the node of the private network that is conmunicating through 
tihe gateway with the outside networks. However, in the present art, the gateway only controls the 
mapping of unregistered network addresses with the registered addresses, and rarely does anything more. 
Due to the conq)lexity of the private networks and their various network applications, and for 

20 security reasons, it is important for the gateway to control which types of comrrumications should be 
allowed between the private network and the outside network. For example, the gateway may wish to 
block a particular application initiated by any computer inside the private network. However, networking 
devices similar to the gateway, such as switches, routers, firewalls, VPNs, usually don't have the 
capability to acquire knowledge about addresses or ports used for applications tiiat other networking 

25 devices need for communication purposes. To make it even more difficult for managing the control of 
the application, multiple application sessions can be initiated by midtiple computers inside the private 
network. Although the gateway may provide IP addresses and port mapping, and when a fixed port is 
used for a well-known application, the gateway can block or otherwise control sessions of the application 
as long as they use the fixed port, in cases where a port is dynamically assigned for a particular 

30 application session, the gateway will lose such control, and leave the application session unregulated. 
What is needed is a system and method for allowing the gateway to control packet 
communications and application sessions, including those that do not use a fixed, predetermined port. 
SUMMARY OF THE INVENTION 

A method and system is disclosed for controlling packet communications between a first 

35 computer network and a second computer network based on applications. Ih one example, a network 

apphcation association (NAA) driver module implemented in a first coirq)uter extracts information about 
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a network application session and a network address and/or port (address/port) used by the first con4)uter. 
The extracted information is used to send packets to a second computer in the second computer network 
for the application session when the first computer initially determines a port for the application session. 
The NAA driver module sends the extracted information to a gateway node of the first computer network, 

5 the gateway node bemg implemented with a NAA server module. The gateway node can monitor one or 
more packets exchanging between the first and second computer networks. A look-up table is flien 
established for recording the relation between the application and the network address/port used by the 
first computer for the application. The packet communications between the first and second networks are 
thus controlled by the gateway node based on the established look-up table. 

10 In another example, the fimction of associating an apphcation with the network address/port is 

integrated with a dynamic port management feature of the gateway. In this example, a driver module 
implemented in a first computer of the first computer network extracts information for identi^g a 
network application session and a network address and a first port used by the first conq)uter to send 
packets to a second conq)uter in the second computer network for ttie application session. The driver 

15 module sends the extracted information to a gateway node of the first concenter network, the gateway 

node being implemented with a server module and the gateway node dynamically assigning a second port 
for the application session. A look-up table is then established for recording the relation among the 
application session, the network address of the first computer, the first port, and the second port used for 
the application session by the first computer. The gateway node thus controls the packet communications 

10 between tbe first and second conq)uters based on the established look-up table. 
BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 illustrates a schematic of a network computing environment. 
Fig. 2 illustrates a sample data packet 

Fig. 3 illustrates a schematic showing computer architectural layers for an application, its API, 

25 and an IP driver. 

Fig. 4 illustrates a network address translation feature performed by a gateway module. 
Fig. 5 illustrates a layer schematic for including a NAA server-driver pair for associating network 
addresses and ports with predetermined appUcations according to one example of the present invention. 
Fig. 6 illustrates a portion of a packet used in an apphcation session. 
30 Fig. 7 illustrates a portion of a packet used for communications between the NAA driver and the 

NAA server of Fig. 5 according to one example of the present invention. 

Fig. 8 illustrates a lookup table for associating the network addresses and ports with 
predetermined apphcations according one example of the present invention. 

Fig. 9 illustrates a flow diagram showing a process for conq)leting the network application 
55 association according to one exanq)le of the present invention. 
DESCRIPTION OF THE PREFERRED EMBODIMENT 
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The present invention provides a new and unique method for identifying and associating network 
addresses and ports with an application in a computer network environment. The disclosure below uses 
various embodiments to illustrate different features of the invention. These embodiments are intended as 
examples, and are not intended to Umit the invention from that described in tihe claims, 

5 Referring now to Fig. 1, a network computing enviroimient 10 includes a private network 12 

having internally networked con^uters 14a-14n. The private network 12 is also cormected to the Internet 
16 via a gateway 18. In the present exangjle, any computing node or conq)uter 14a-14n inside the private 
network 12 can coimnunicate with each other, or a computer connectable through the Internet 16 such as 
a conputer 20 or a coir^uter of another private network 22. In furtherance of the example, the 

.0 information exchanged between any two computers is in the form of data packets and uses a mutually 
acceptable network protocol such as the Internet Protocol QTP''). 

Referring to Fig. 2, a sample data packet 23 includes header information about the source and 
destination computers in conmiunication. A first section 24 indicates the IP address of the 
originating/source host/con^uter, and a second section 25 indicates the IP address of the destination 

'5 host/computer. Sections 26 and 28 are identifiers for transport layers (e.g., TCP ports) such as a source 
port 26 and a destination port 28. The packet 23 also contains sections such as the data section 29a and 
various other sections (e.g., section 29b and 29c) that may not be directly relevant to tiie present 
invention. With the information contained in these sections of the data packet 23, the packet can be 
routed from network to network, and from computer to conc^uter, with ease. 

)0 As of today, an IP address is defined by a 32-bit host address represented in dotted decimal 

notation (e.g. 10.234.34.4). Limited by its own definition of the 32-bit structure, only 4,294,967,296 
unique IP addresses are available for the entire fritemet, which fer exceed the demands from all the 
conq)uters connected or connectable to the Internet Therefore, the private network 12 uses a limited 
number of IP addresses instead of assigning ff addresses for all the computers 14a-14n. The IP addresses 

i5 for use with Ae Internet 16 are called "registered" network addresses, and all others for internal use inside 
of the private network 12 are known as '^unregistered" network addresses. The use of unregistered 
network addresses inherently generates a conflicting problem for communications between two 
con^uters that do not belong to the same private network because all the computers in the private 
network 12 are not individually identified with their own registered IP addresses. 

JO Consequently, in order for computers 14a-14n inside the private network 12 to access computers 

or servers outside, registered IP addresses must be used. Conventionally, the gateway 18 performs 
network address translation (NAT) or network address port translation (NAPT) to identify and distinguish 
the source and destination of the transmitted packet to/from tiie computers 14a-14n. In a more generic 
term, NAT refers to translations of network addresses and related fields in a packet to make it 

55 recognizable to a private network and a public network. NAPT is a specific case of NAT in which 
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modifications are made to the packets in the segments/sections containing transport layer identifiers (e.g., 
TCP/UDP ports) and their related fields. 

Viewing inside of the private network 12, each computer (e.g., 14a) is independently assigned an 
IP address which is only known to the private network (i.e., the unregistered IP address or the 

5 imregistered network address), therefore facilitating communications among the computers inside the 
private network. Assuming the private network 12 has a set of registered network addresses or registered 
IP addresses, fliere is a mapping mechanism available at the location of the gateway 1 8 to swap the 
unregistered IP address to one of the registered IP addresses. 

For the sake of furfher example, it is assumed that a user on computer 14a initiates an FTP 

LO session with a server con^uter situated outside the private network 12. The computer 14a sends a packet 
that contains a source IP address of 10.5.5.5 and a destination IP address of 200.2.22.222. The 
destination IP address indicates that the destination is outside of the private network 12. Since the source 
ff address 10.5.5,5 is unknown outside of the private network, a return packet from the destination 
computer using the destination IP address 10.5.5.5 will not reach the con5)uter 14a. Therefore, before the 

15 initial packet is sent out from the private network 12, the gateway 1 8 maps or translates the source IP 
address to one of the registered IP addresses (e.g., 188.88.8.88). This unique relationship between the 
unregistered IP address and the mapped registered address is stored in the gateway 1 8 for future use. 
With tiie recognizable IP address of 188.88.8.88, a return packet from the outside server will be delivered 
to the gateway 18, and the gateway would once again translate the destination IP address to 10.5.5.5 and 

ZO forward flie packet to conq)uter 14a so that the original FTP session can continue. 

Referring now to Fig. 3, for any particular application on a con^uter using IP addresses and port 
numbers (or ports in short), there are three architectural communication entities/layers as shown in block 
30, the application 31, the specific application interface (API) 32, and the IP driver 34. When the 
appUcation initiates a session, it asks the operating system (e.g., Socket) for a port number. The assigned 

25 port number, along with the IP address associated with the computer, is sent to the IP driver, which 
fijrther furnishes each upcommg packet with the IP address and the assigaed port number ia its header 
portion. 

Refening to Fig. 4, conventionally, tiie gateway 1 8 uses the NAT feature to simply replace the 
source's unregistered address with a registered IP address. For example, if the computer in a private 

JO network, which bears an IP address of IPx, initiates an FTP session to an outside server having an IP 

address of IPout and a port number 23, the header portion of the packet will look like block 36. As it has 
been described with regard to Fig. 2, this header section of the packet indicates that the packet is from a 
computer having a source IP address of IPx and a source port of 123, and that the packet is iutended to be 
routed to a computer with an IP address of IPoui and port 23 . When a conventional gateway or otiier NAT 

i5 management module receives this packet, the source IP address of the packet is changed to a registered IP 
address, such as IPi as shown in block 38. The IP driver then sends the packet out. 
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A lookup table (not shown) is also created to indicate that the IP address-port pair IPx: 123 has 
been changed to IPi: 123. Therefore, when a return packet is received by the gateway bearing the 
destination IP address of IPi and port 123, it can be routed correctly to IPx and port 123. It is noticed that 
in some situations the port niunber is not changed by the gateway, in such a case, for example, if the port 

5 123 is used by an application session, then this port will not be available to other applications in the 
private network for a period of time. In some other situations, the port is changed if an NAPT is done, 
and an available port is dynamically chosen by the gateway for sending out the packet. Although the 
ability to dynamically choose a port gives a great benefit for managing the various ports available as it is 
illustrated above, it increases the level of difficulty for identifying the application. 

10 Referring now to Fig. 5, the gateway 1 8 is integrated with a Network Application Association 

(NAA) server and is situated between an originating con^)uter 14a and a destination con^uter 14b. The 
originating computer includes an application 42a and an NAA driver 42c, Although only one originating 
computer 14a is shown, it is assumed that a NAA driver is provided at each of the computers 14a-14n of 
the private network 12 (Fig. 1). According to one exanq)le of the present invention, the application 42a 

15 communicates with its API 42b, and then, communicates with the NAA driver 42c instead of 

communicating directly with an IP driver 42d. At the gateway 1 8, the same structure is formed for a 
gateway application 44a, its API 44b, the NAA server 44c, and the IP driver 44d for the gateway. The 
arrows shown in Fig. 5 are purely for illustration purposes indicating the directions for internal 
information flow through different layers at the originating computer 14a, the gateway 1 8, and the 

ZO destination coirq)uter 14g. Compared to the exanq)le of Fig. 3, it is clear that the NAA server/driver layer 
"eavesdrops" and controls information exchanged between the API layer 32 and the IP driver 34, and thus 
builds intelligence into the conomunications among all three layers. With this structure, the IP address 
and port information can be identified and associated with a predetermined apphcation not at the packet 
level, but done by using higher level communications between the NAA driver and the NAA server. 

25 Continuing wilh the FTP session txsanplc discussed above, when the conaputer 14a initiates an 

FTP session, a communication is first made by the API 42b to the NAA driver 42c installed on the 
computer 14a, and then to the IP driver 42d. For illustration purposes, it is assumed that for the FTP 
session, the port number assigned is 123 and the IP address is IPx for the computer 14a. Also, the FTP 
server in the destination conq>uter 20 bears the IP address of IPout and port 23. Referring to Fig. 6, a 

50 relevant header sections 50 of an outgoing data packet is shown to include information about IP^: 1 23 pair 
and IPont:23 pair. A data section 50a follows the header 50 in the packet. The application layer 42a 
conveys this information to the IP driver 42d through its API 42b and the NAA driver 42c before any 
packet of the application is sent to the gateway. The NAA driver 42c communicates immediately with 
the NAA server 44c to inform the NAA server 44c that the upcoming packets using the IP address and 

55 port of IP^: 123 pair are associated with the FTP apphcation related to IPoat:23 pair, which is directed to 
the outside FTP server 20. 
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This communication process between the NAA driver 42c and server 44c may use a plurality of 
packets communicated therebetween. Referring to Fig. 7, for instance, any given packet 52 for the 
coinmumcation initiated by the NAA driver to the NAA server will have a header section 52a. In these 
packets, the source IP addressrport pair will still be IPx:123, however the destination IP address is now an 

5 unregistered IP address of the NAA server IPy, and the port is set to a predetermined one used by the 
gateway 18 such as a *Svell-known" port 1080. An indicator about the particular application, such as the 
FTP session iii the immediate example, is embedded in the data section 52b of the packet, which may also 
include, in this case, the information about the final destination (e.g., the destination network address and 
port for computer 20). It is understood that since fliis application information is contained in the data 

10 section of the packet, not the header section, various methods can be implemented to have both the NAA 
driver and server agree on a predetermined mechanism for each of them to extract such information. 

Referring to Fig. 8, a lookup table 60 can be constructed by the NAA server 44c at the gateway 
1 8 fix)m information exchanged between the NAA driver and server to provide network application 
association information between the application and various IP addresses and ports used by multiple 

15 computers in the private network. For example, as shown in the lookup table 60, two conq)uters using IPi : 
Porti and IP2: Port2 are all executing the FTP application. If the gateway 18 so wishes, it can control 
commimication sessions for the FTP application ia vario\is manners. For instance, it can block all FTP 
application sessions regardless of which computer is the originating computer. It can also block an FTP 
application session if it is originated firom a predetermined computer such as IPi. 

ZO In another example of the present invention, if the IP address and the related port for the 

destination conq)uter for a particular application are also sent to the NAA server from the NAA driver in 
the packets similar to the one shown in Fig. 7, the NAA server will have information about the destination 
computer for building the lookup table. Therefore, the lookup table 60 of Fig. 8 can include another 
column for such destination information. The gateway 1 8 can fliereby control the apphcation further with 

25 regards to the particular destination computer. For instance, the gateway 1 8 can block all FTP sessions 
with a particular destination computer, while leaving all other FTP sessions executed by other computers 
to flow freely through the gateway. 

Referring now to Fig. 9, a flow diagram 70 summarizes the steps taken by the NAA driver and NAA 
server for associating the IP address and port of a computer node with an application session according to 

50 one embodiment of the present invention. Before all the steps are taken, it is assumed that each computer 
or server is loaded with NAA driver software and the gateway 1 8 is equipped with NAA server software. 
Execution begins at step 72, where an apphcation session (communication) is initiated from tiie NAA 
driver. At step 74, a communication process takes place between the NAA driver and NAA server to 
inform the NAA server about the apphcation. In addition, the communication process provides the 

55 originating computer's IP address and its corresponding port, and if needed, the IP address and port for 
the destination computer. At step 76, tiie NAA server builds or updates a lookup table based on the 
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received information. With flie infonnation of each application initiated by the computers inside the 
private network, at step 78, the gateway exerts intelligent control over any information exchanged 
between the private network and the oxitside network at the granularity of each application. 

In the above-described examples, communications between the various computers are discussed. 
5 It is well known that a typical computer may include a central processing unit and memory for processing 
and storing data and programs. The coiiq)uters may also include external interfece devices, such as a 
modem or network card. It is understood that each of flie conqputers and networks discussed above may 
be similarly configured, or may be very different. It is also understood that other network nodes, such as 
mobile nodes using mobilelP, can benefit from the present invention. 

10 The present disclosure uses the NAA driver-server pair for intelligently identifying and 

associating IP addresses and ports with predetermined network applications executed by computer nodes 
in a network enviroimient It is understood that tiie private network is not necessarily liaiited to a 
physical location, and the gateway installed with the NAA server is not necessarily located at the same 
location as the private network. In today's web centric networking environment, a private network can 

15 easily exist in a virtual manner because all the computers/servers belonging to the private network can 
locate at different locations while still being connected to the gateway through the web, as long as the 
gateway can be identified at any moment. 

To the extent that the gateway is connectable to and accessible by the individual con^uters, flie 
gateway can still control the infonnation flow based on specific appHcations. It is therefore also 

20 contemplated by the present invention that the fimction of the gateway can be centrally located and 

provided as an AppUcation Service Provider. This can reduce the burden of each private network to have 
its gateway independently managed. 

Another advantage of the present invention is that two different communication components can 
be used; the NAA driver and the NAA server, which add intelhgence on packet processing. Moreover, 

25 both the NAA driver and server can work together in a synametric mode of communication. That is, the 
driver and server work in both communication directions. Furthermore, the NAA driver and server 
allows the gateway to control communications between a private network and outside networks at the 
granularity of each computer application and each related computer. 

While the ravention has been particularly shown and described with reference to the preferred 

30 embodiment thereof, it will be understood by those skilled in the art that various changes in form and 
detail may be made therein without departing from the spirit and scope of the invention. 
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WHAT IS CLAIMED IS: 

1 . A method for controlling packet connmmications between a first network and a second 
network, the method con:q)rising: 

inq)lementmg a server module in a connecting node, the connecting node for monitoring one or 
5 more packets exchanged between the first and second networks; 

implementing a driver module in a first node inside the first network; and 

associating, with the assistance of the server and driver modules, a network address and port used 
by the first node with a predetermined application, 

wherein the network address and port is used for sending at least one packet of the application to 
10 a second node in the second network. 

2. The method of claim 1 further comprising: 

executing packet communications between the server module and the driver module to inform the 
connecting node about the network address and port used by the first node for the predetermined 
15 application before the first node sends a first packet of the application to the second node. 

3 . The method of claim 2 wherein the network address and port used by the first node and 
information for identifying the predetermined application are included in a predetermined data portion of 
at least one packet exchanged between the server module and the driver module. 

20 

4. The method of claim 1 wherein the driver module monitors information exchanged 
between an apphcation interface (API) of flie appUcation and a network driver of the first node. 

5. The method of claim 4 further comprising: 

25 the driver module extracting information regarding the application firom the information 

exchanged between the API and the network driver; and 

sending the extracted information to the server module. 

6. The method of claim 1 wherein the step of associatmg further comprises establishing a 
30 look-up table for recording a relation between the application and the network address and port used by 

the first node for the application. 

7. The metfiod of claim 6 wherein the look-up table further comprises a network address 
and port for the second node for executing the application. 



35 



8. A cornputer software system for controlling packet communications, based on 
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applications, between a first computer network and a second computer network, the system conqprising: 

a network application association (NAA) server module implemented in a gateway node, the 
gateway node monitoring one or more packets exchanged between the first and second computer 
networks; 

5 an NAA driver module iEtq)lemented in a first computer inside the first conq)Uter network; and 

means for associating a network address and port used by the first computer with a predetermined 
application, the network address and port being used for sending at least one packet of the application to a 
second computer in the second network. 



10 9. The system of claim 8 fiirther comprising; 

means for executing packet communications between the NAA server module and the NAA 
driver module to inform the gateway node about the network address and port used by the first computer 
for the predetermined application before the Grst conq)uter sends a first packet of the application to the 
second computer. 

^5 

10. The system of claim 9 wherein the network address and port used by the first computer 
and information for identifying the predetermined application are included in a predeterrmned data 
portion of at least one packet exchanged between the NAA server module and the NAA driver module. 



ZO 11. The system of claim 8 wherein the NAA driver module monitors information exchanged 

between an application interface (API) of the application and a network driver of the first cotnputer. 

12. The system of claim 1 1 wherein the NAA driver module includes means for extracting 
information regarding the plication fix>m the information exchanged between the API and the network 
25 driver, and means for sending the extracted information to the NAA server module. 



13. The system of claim 8 wherein the means for associating further con5)rises a look-up 
table for recording a relation between the application and the network address and port used by the first 
conaputer for the application, 

iO 

14. The system of claim 13 wherem the look-up table finrther comprises a network address 
and port for the second computer for executing the application. 

15. A method for controlling packet communications between a first con[q>uter network and a 
35 second computer network, the method comprising: 

extracting, by a networic application association (NAA) driver module in^lemented in a first 
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computer of the first computer network, information about an application session and a network address 
and port used by the first computer for sending packets of tbe application session to a second computer in 
Ihe second computer network when the first con^uter initially determining a port for the application 
session; 

5 sending the extracted information 6om Ihe NAA driver module to an NAA server module 

in[q)Iemented in a gateway node of the first computer network, the gateway node monitoring one or more 
packets exchanging between the first and second computer networks; 

establishing a look-up table for recording the relation between the application session and the 
network address and port xised by the first coir5)uter for the application session; and 
10 controlling the packet communications between the first and second network by the gateway node 

based on the established look-up table. 

1 6. The method of claim 1 5 wherein the step of sending is completed before the first 
computer sends a first packet of the application session to the second computer. 

1 7. The method of claim 1 5 wherein the network address and port used by the first computer 
and information for identifying the appUcation session are included in a predetermined data portion of at 
least one packet exchanged between the NAA server module and the NAA driver module. 

20 18. The method of claim 1 5 wherein the NAA driver module monitors information 

exchanged between an appUcation interfece (API) of the application session and a network driver of the 
first com|)uter. 

19. The method of claim 1 5 wherein the look-up table fiirther comprises a network address 
25 and port for the second conq)uter for executing the application session. 

20- A method for controlling packet communications between a first computer network and a 
second computer network based on applications, the method conqjrising: 

extracting, by a driver module implemented in a first computer of the first conq)uter network, 
30 information for identifying a network apphcation session and a network address and a first port used by 
the first computer to send packets to a second conq)uter in the second conq)uter network for the 
appUcation session; 

sending the extracted information from the driver module to a server module implemented in a 
gateway node of the first computer network, the gateway node assigning a second port for the application 
35 session; 

estabUshing a look-up table for recording the relation among the application session, the network 
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address, the first port and the second port used for the application session by the first computer; and 

controlling the packet connnunicatioiis between the first and second computers by the gateway 
node based on the established look-up table. 

2 1 . The method of claim 20 wherein the step of sending is completed before the first 
computer sends a first packet of the application session to the second computer. 

22. The method of claim 20 wherein the network address and the first port used by the first 
computer and information for identifying the application session are included in a predetermined data 
portion of at least one packet exchanged between the server module and the driver module. 

23. The method of claim 20 wherein the driver module monitors information exchanged 
between an appKcation interface (API) of the application session and a network driver of the first 
computer. 

24. The method of claim 20 wherein the look-up table further comprises a network address 
and port used by the second covapnter for the application session. 
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